You restored a new phone, opened the authenticator app, and the ChatGPT entry is not there. Or the old phone is in a drawer with a dead battery and a forgotten PIN. The login screen accepts the password, prompts for a six-digit code, and there is no way through. The backup codes you were told to save at MFA enrollment are nowhere — not in 1Password, not in a Google Doc, not on a sticky note. This is one of the worst account-recovery scenarios because ChatGPT support cannot disable MFA over a casual support ticket; they need identity proof. The good news: most cases resolve in 24-72 hours if you collect the right evidence on the first attempt.
Common causes
Ordered by how often each actually applies.
1. Authenticator app was never backed up to the cloud
Google Authenticator, Microsoft Authenticator, and older Authy installs do not auto-sync TOTP secrets across devices by default. A factory reset, lost phone, or “restore from backup” that skips app data wipes the seeds permanently.
How to spot it: The new phone shows the authenticator app reinstalled but with zero entries, or only entries you re-added manually.
2. Backup codes were generated but never saved
ChatGPT shows the 10 single-use codes once at MFA setup. Many users dismiss the modal assuming they can re-display them later. They cannot — the codes are only shown at enrollment and after an explicit regenerate.
How to spot it: Search your password manager and email for chatgpt, openai, and 8-character alphanumeric strings. No hits means they were never stored.
3. Backup codes were saved but reformatted
Codes are often pasted into a note with smart quotes, line wraps, or trailing spaces. The login form rejects them as invalid even though the characters look right.
How to spot it: You have a list that looks like backup codes, but every attempt returns “invalid code”. Inspect for non-ASCII punctuation or stripped dashes.
4. SMS fallback was disabled or the number was ported
Some accounts had SMS as a secondary factor but it was later removed for security, or the original phone number was ported / recycled to a new carrier. The “send code via SMS” option is gone or sends to a number you no longer own.
How to spot it: The MFA screen does not offer SMS at all, or it sends to a partially masked number you do not recognize.
5. Account uses a security key (WebAuthn) and the key is missing
Pro / Enterprise users sometimes enrolled a hardware key (YubiKey, Titan) as the only second factor. If the key is lost or broken and no backup key was registered, software MFA recovery flows do not apply.
How to spot it: The login prompt says “insert your security key” and offers no TOTP / SMS alternative.
6. Wrong account — the MFA is on a different email
If you have two ChatGPT accounts (personal + work, or Google SSO + email-password) it is easy to type the wrong email and assume MFA is broken. The other account does not have MFA at all.
How to spot it: Try the login with each email variant. If one accepts password-only, the MFA was on the other account, not the one you are trying.
Before you start
- Stop hammering the login form. After 5-10 failed MFA attempts ChatGPT may rate-limit or temporarily lock the account, adding 1-24 hours to recovery.
- Find any device that may still hold a live session — old laptop, work desktop, mobile app you have not signed out of. An active session is recovery gold.
- Locate the original signup email and any payment receipts; OpenAI support will ask.
- If this is a Team / Enterprise account, contact your workspace admin first — they can disable MFA for you in seconds without a support ticket.
Information to collect
- The exact email address on the account (including capitalization and dots for Gmail).
- Approximate date of account creation and approximate date of last successful login.
- Last 4 digits of the payment card on file, if you have a paid plan.
- A government ID matching the billing name (required by support for identity proof).
- Screenshots of any active session you find on another device —
/api/auth/sessionJSON or the account email visible in the UI. - The model of phone the authenticator was on, and whether it was factory-reset or replaced.
Step-by-step fix
Cheapest paths first; escalate only when each fails.
Step 1: Try every saved location for backup codes
Search exhaustively before opening a support ticket. In your password manager:
chatgpt
openai
2fa
mfa
backup
recoveryIn your email, search for noreply@tm.openai.com, noreply@auth.openai.com, and any message with subject containing “two-factor” or “verification”. The original MFA enrollment confirmation sometimes includes the codes inline.
Step 2: Find a still-authenticated device
Open ChatGPT on every browser profile, phone, tablet, and old laptop you own. If any session is still active:
1. Open https://chatgpt.com → confirm logged in
2. Navigate to Settings → Security → Multi-factor authentication
3. Click "Disable" or "Regenerate backup codes"
4. Save the new codes immediately
5. Log out of the device only AFTER the new codes are savedThis is the fastest path; it bypasses support entirely.
Step 3: Use the “Trouble signing in?” flow
On the MFA prompt screen, click Trouble signing in? (sometimes labeled Other ways to verify). Available alternatives may include:
- One-time email magic link
- SMS to a previously verified phone
- Recovery email if one was configured
If any of these work, log in, then immediately disable and re-enroll MFA with backup codes saved this time.
Step 4: Open a support ticket with full identity proof
Go to https://help.openai.com, click Messages, and submit a ticket. Include in the first message:
Subject: Locked out of MFA — account [your email]
Body:
- Account email: <your-email>
- Plan: Plus / Team / Enterprise / Free
- Approximate signup date: <month/year>
- Last 4 of payment card on file: <####>
- Last successful login (approx date): <date>
- Device that held authenticator: <make/model>
- Reason MFA is inaccessible: <factory reset / phone lost / etc>
Attached: photo of government ID matching billing name.
I cannot recover backup codes. Please disable MFA so I can re-enroll.One detailed message beats five vague follow-ups. Tickets with ID + payment proof typically resolve in 24-48 hours.
Step 5: Use a session-cookie export if you find one
If you find a logged-in browser but it will not let you reach Settings (some flows re-challenge MFA for sensitive pages), export the cookies and inject them into a fresh profile:
# In DevTools on the logged-in browser:
# Application → Cookies → chatgpt.com → copy __Secure-next-auth.session-tokenThen in a new browser, set the same cookie before navigating. Note: this is a personal-recovery technique on your own account only; not for shared / Team accounts.
Step 6: Re-enroll MFA correctly after recovery
Once you are back in, immediately:
- Go to
Settings → Security → Multi-factor authentication. - Click
Regenerate backup codes. - Save the 10 codes in your password manager as a secure note titled
ChatGPT MFA backup codes. - Re-add the TOTP entry to an authenticator that syncs across devices (Authy with cloud backup, 1Password TOTP, Bitwarden).
- Enroll a second factor type if possible (TOTP + security key, or TOTP + SMS).
Verify
- Log out completely, log back in, and confirm MFA prompt accepts the new TOTP code.
- Try one of the freshly saved backup codes (it will be consumed — generate a replacement immediately).
- On a second device, log in and confirm the new authenticator entry produces a matching code.
- Check
Settings → Security → Active sessionsand revoke any session you do not recognize.
Long-term prevention
- Always save the 10 backup codes the moment they appear at MFA enrollment. Treat the modal like a one-shot screen because it is.
- Use an authenticator that syncs to the cloud — Authy, 1Password, Bitwarden, iCloud Keychain. Google Authenticator now syncs too but requires explicit opt-in.
- Register at least two TOTP devices (phone + tablet) so loss of one is not catastrophic.
- For Plus / Team accounts, register a recovery email different from the primary login email.
- Keep a paper printout of backup codes in a home safe for catastrophic device loss.
- If you use a hardware security key, always register a second key as backup and store it separately.
Common pitfalls
- Reusing the same backup code twice — each is single-use and burning one in panic does not help if you cannot complete login.
- Submitting a support ticket without identity proof and then waiting — support will reply asking for ID, adding 12-24 hours.
- Creating a new ChatGPT account because the old one feels lost — the new account does not inherit your subscription, history, projects, or custom GPTs.
- Trying to reset the password instead of MFA — password reset does not bypass MFA, and locking your password too makes recovery harder.
- Pasting backup codes from a Word doc that auto-corrected dashes; type them by hand or paste from plain text.
- Asking your bank to issue a chargeback to “force support attention” — this gets the account terminated, not unlocked.
FAQ
Q: Will OpenAI support ever ask for my password to verify identity?
No. Support will never request your password. Anyone asking for it is a phishing attempt; report and delete.
Q: How long does MFA reset typically take after a ticket with ID?
24-72 hours for individual accounts. Team / Enterprise tickets routed through the workspace admin are usually under 1 hour because the admin acts directly.
Q: Can I just delete the account and resubscribe to get past MFA?
You can request deletion, but the email enters a cooldown (often 14-30 days) before you can register the same email again. You also lose all history. Recover the account instead.
Q: My authenticator says the code is “expired” before I can type it. What is wrong?
Phone clock drift. TOTP needs the device clock within 30 seconds of server time. Enable automatic time sync on the phone — see ChatGPT 2FA locked out for the full fix.
Q: Does this also apply to ChatGPT Enterprise SSO accounts?
Partially. If your org uses SSO, MFA may be controlled by your identity provider (Okta, Azure AD). Recovery goes through your IT admin, not OpenAI. See ChatGPT Enterprise SSO fail.